Firewall blocks port that is allowed in the rules list
-
You have to show us the nat rule and the firewallrule or we can't help you.
-
What is the best way? A Printscreen or the config files?
thx mike
-
here are the xml part form the NAT Section
- <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
<external-port>22</external-port>
<target>192.168.1.16</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>SSH Server Enif</descr></rule> - <rule><protocol>tcp</protocol>
<external-port>80</external-port>
<target>192.168.20.14</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>Web Server Scutum</descr></rule> - <rule><protocol>udp</protocol>
<external-port>5060-5062</external-port>
<target>192.168.1.15</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr></rule> - <rule><protocol>udp</protocol>
<external-port>10000-10200</external-port>
<target>192.168.1.15</target>
<local-port>10000</local-port>
<interface>wan</interface>
<descr>RTP</descr></rule> - <advancedoutbound>- <rule>- <source>
<network>192.168.1.0/24</network>
<sourceport><descr>LAN –> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule> - <rule>- <source>
<network>192.168.30.0/24</network>
<sourceport><descr>WLAN --> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule> - <rule>- <source>
<network>192.168.20.0/24</network>
<sourceport><descr>DMZ --> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<enable></enable></advancedoutbound></ipsecpassthru></nat>
and rules:
- <filter>- <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><max-src-conn-rate>1</max-src-conn-rate>
<max-src-conn-rates>10</max-src-conn-rates>
<protocol>tcp</protocol> - <source>
<any>- <destination><address>192.168.1.16</address>
<port>22</port></destination>
<log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>- <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> - <source>
<any>- <destination><any><port>443</port></any></destination>
<log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> - <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> - <source>
<any>- <destination><address>192.168.20.14</address>
<port>80</port></destination>
<descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>-
<**rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol> -
<source>
<network>wanip</network> -
<destination><address>192.168.1.15</address>
<port>5060-5062</port></destination>
<log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**-
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> -
<source>
<network>wanip</network> -
<destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
**<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol> -
<source>
<any>- <destination><address>192.168.1.15</address>
<port>10000-10200</port></destination>
<log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**-
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt2</network> -
<destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt1</network> -
<destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol> -
<source>
<network>opt1</network>
<port>22</port> -
<destination><network>lan</network>
<port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule> -
<rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface> -
<source>
<network>lan</network> -
<destination><any></any></destination></rule>
-
<rule><interface>enc0</interface>
<type>pass</type> -
<source>
<any>- <destination><any></any></destination>
<descr>Permit IPSEC traffic.</descr>
<statetype>keep state</statetype></any></rule></filter>
thx mike
- <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
-
You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).
-
Ok
I change this, but for me total unclear is why pfsense block my traffic that I want to pass?
thx mike
-
Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.
-
hi
that's the Bold on's in the previous post, here only this on:
NAT:
<rule><protocol>udp</protocol>
<external-port>5060-5062</external-port>
<target>192.168.1.15</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr></rule>Rules:
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>-
<source>
<network>wanip</network> -
<destination><address>192.168.1.15</address>
<port>5060-5062</port></destination>
<log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>thx mike
-
-
I was able to read the bold text the first time already ;)
I wanted to see the exact line of the block from status>systemlogs, firewall.
-
sorry
here the line:
"Mar 17 20:35:36 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP"
mike
-
On the portforward, do you happen to have external adress set to "any" instead of the interface IP?
-
I try it, but nothing changed:
WAN TCP/UDP 5060 - 5069 192.168.1.15 (ext.: any) 5060 - 5069 SIP
Mar 17 21:34:34 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP
mike
-
external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues ::)